Vulnerable Mobile Software Management Tool Reaches Into IoT

You could be forgiven for never having heard of Red Bend Software. The company is small – just 250 employees- and privately held. Red Bend’s headquarters is a suite of offices in a nondescript office park in Waltham, Massachusetts, just off Route 128 – America’s “Silicon Highway.”

Red Bend operates out of a suite in this office building in Waltham, Massachusetts. The company dominates the market for mobile system management tools and runs on billions of devices worldwide. (Photo by Paul F. Roberts.)

But the company’s small profile belies a big footprint in the world of mobile devices. Since 2005, more than 2 billion devices running the company’s mobile management software have been sold worldwide. Today, the Red Bend is believed to control between 70 and 90 percent of the market for mobile software management (MSM) technology, which carriers use to service mobile devices.

The software enables mobile carriers to do critical tasks, including firmware-over-the-air (FOTA) software updates, mobile device configuration and other on-device changes. Red Bend counts many of the world’s leading companies in the mobile, enterprise and manufacturing sectors as clients, including Intel, Qualcomm, Samsung, Sharp, LG, Sony, Huawei, China Mobile and Lenovo.

The research raises questions about the scrutiny given to powerful software management tools that are bundled with almost every mobile phone sold in the United States. Just as important: Accuvant’s research begs the question of what other devices – from automobiles to agricultural equipment – run the same mobile management software and might also be vulnerable to attack.

Invisible, but ‘feature rich’ software

Speaking with The Security Ledger, Accuvant researchers Ryan Smith*, Mathew Solnik and Marc Blanchou said the software, which runs on mobile phone baseband controllers, is deployed on almost every device they support. But it was terra incognito for software security researchers.

Despite the limitations of running within the constrained operating system of the baseband controller chip, the Accuvant researchers found that the management client software from Red Bend was “feature rich.” Depending on the deployment and the hardware involved, carriers may be able to change the IP address or roaming list of a phone, enable or disable Bluetooth and WiFi services on the device, install and remove mobile applications and even redirect calls, according to Solnik.

Subtle- and not so subtle flaws

However, features add complexity and open the door to attacks. Solnik and his colleagues uncovered a range of what they call “subtle flaws” in the way that authentication and encryption features are implemented on Red Bend’s mobile management software. Those flaws leave devices that use Red Bend software vulnerable to remote attacks and compromise.

Among the problems the researchers discovered was weakness in the feature that allows a remote user to securely authenticate to (or log in to) a mobile device that uses vDirect Mobile. By reverse engineering the process Red Bend uses to create the unique password and plugging in publicly broadcast information about a device (like its serial number), the team from Accuvant was able to calculate passwords for the device that would allow them to log in to the vDirect software. Further analysis uncovered memory corruption vulnerabilities in the Red Bend software that would allow an attacker to gain full control of the MSM client, as well, Solnik said.

No low-hanging fruit

Not all mobile phones running the Red Bend software are vulnerable to attack. Researchers so far have identified the HTC One M7, Blackberry’s Z10 and Apple iPhones offered by U.S. carrier Sprint and running iOS software prior to 7.0.4 were vulnerable to attack.

Accuvant researchers won’t release exploits for the vulnerabilities they discovered. Even if they did, an attack “in the wild” wouldn’t be easy, Smith said. Attackers would have to set up a cellular base station and trick the phone into connected to it. That would require physical proximity to the phone – anywhere from 30 feet to 30 yards. To exploit memory corruption holes, attackers would need to know the exact configuration of the device, including what applications were installed on it, Solnik said.

A problem – and not just for mobile phones

But the problems that the Accuvant researchers discovered were proof that mobile system management software is vulnerable. And they raise important questions about the reach of the vDirect Mobile and similar products that come pre-installed on mobile phones and embedded devices.

Red Bend markets its software not just as a way to manage mobile devices – but as a tool that allows companies of all stripes to wring more profit out of the mobile devices that use their networks.

“One of the key value propositions of MSM (is) the detaching of service lifecycle from hardware lifecycle,” Red Bend explains in one piece of marketing literature. “The ability to instantly push a new service to the installed base means that the ROI (return on investment) of the service can be much higher and achieved in a much shorter time, as critical mass of active service users is created in a very short time,” the document reads.

“This software is cross platform and cross carrier,” Solnik said. “These clients are requirements to get on carrier networks…if you want your phone sold by the network you have to put this software on it.”

In fact, mobile phones are only one part of Red Bend’s addressable market – albeit an important one. The company has long partnered to M2M (machine to machine) networking companies and sells vDirect Mobile to automakers as a tool for FOTA updates to wireless components on connected vehicles. Its web site likewise promotes agriculture as an industry where its MSM technology can be useful.

In February, Red Bend was part of an announcement with Qualcomm and Quickplay in support of the AT&T Drive Studio, which was described as a research and innovation center for connected car technologies.

Michael Shaulov, the co-founder and CEO of mobile security firm Lacoon said that attacks against other devices using the vDirect MSM software “should be pretty similar, regardless of the hardware using the MSM.”

Even with Accuvant’s research, it is hard to know the full reach of Red Bend and its software. The baseboard chips bundle the Red Bend software as a compiled binary. That is shipped to OEMs (original equipment manufacturers) who incorporate the hardware and bundled software into their finished products: cell phones, laptops and embedded systems of all sorts.

Because the software is shipped as what Solnik and his colleagues referred to as a “binary blob,” OEMs who are Red Bend customers can’t easily audit the quality of the application code before deploying it. Particularities of the platforms that the vDirect Mobile client is deployed on and how it is deployed would determine whether the same kinds of exploits Accuvant’s researchers developed might work against other, non-phone devices.

But the warning about Red Bend’s vDirect product is another data point in a long line of similar stories about security vulnerabilities linked to third party software.

“It’s interesting. The (software) stack on mobile phones are something of a black box,” said Chris Wysopal, the CTO of Veracode. While attacks such as those described by Accuvant are obscure, they’re also likely to escape notice.

Wysopal said that sophisticated organizations – including intelligence agencies like the NSA – will take note of MSM software as a possible target of future attacks. “Other people will be looking – if two guys from Accuvant can do it, the NSA can do it too,” Wysopal said.

(*) Editor’s note: an earlier version of this story used an incorrect last name when referring to Mr. Ryan Smith of the firm Accuvant. The story has been corrected. We apologize for the confusion. Paul 8/5/2014

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."